What Lookout Says About CryptoChameleon, A New Phishing Kit Targeting Cryptocurrency Users?

A new technical report published by Lookout’s security research team on Feb 27th, 2024 reveals details on CryptoChameleon, an advanced phishing kit using novel tactics to target cryptocurrency platforms and users.

The report discloses how the phishing kit builds near-perfect spoofed login pages for services like Coinbase, Binance, and Gemini to steal user credentials. It then employs a combination of email, SMS, and voice phishing to trick victims into handing over usernames, passwords, two-factor authentication codes, and even photo IDs.

This blog post summarizes Lookout’s key findings on CryptoChameleon – how it operates, who is behind it, and how users can stay protected. We also provide technical analysis on the phishing pages, backend infrastructure, and attribution details.

How Lookout Detected CryptoChameleon?

Lookout’s phishing detection systems first caught wind of CryptoChameleon when they flagged a new domain registration – fcc-okta[.]com.

The domain closely impersonated the legitimate portal used by FCC (Federal Communications Commission) for single sign-on authentication through Okta – fcc.okta[.]com.

This pattern of mimicking company Okta pages with deceptive homographs matched techniques used by an Advanced Persistent Threat (APT) group tracked as Scattered Spider.

Scattered Spider has been linked with widespread phishing campaigns against government agencies, technology, and manufacturing sectors.

An Elaborate Phishing Attack Flow

Upon accessing the fraudulent FCC domain, users had to complete a hCaptcha challenge proving they weren’t bot

s.

A screen displaying a CAPTCHA check with the statement 'I am human' and a button to confirm, ensuring the security of the site connection.

Source: Lookout

This prevented security crawling and containment while establishing legitimacy for victims accessing the portal.

The login page mirrored FCC’s actual Okta instance with great precision to capture user credentials securely. Victims would have no visual queues indicating foul play.

A mobile screenshot of the FCC sign-in page with fields for username and password, powered by Okta.

Source: Lookout

Interestingly, once usernames and passwords were submitted, CryptoChameleon redirected targets to a “loading” page instead of instantly capturing entered data.

Custom Redirect Logic for Maximum Impact

In the background, threat actors used the stolen credentials in real-time to access target accounts. Depending on multi-factor controls enforced, the phishing system redirected users to customized pages asking for supplemental login factors like:

This dynamic redirection architecture minimized user suspicion while extracting maximum data to ensure account takeovers.

Screenshot of HTML code for a selection menu with grouped options for Okta, AOL, and Gmail services.
Screenshot of HTML code for a selection menu with grouped options for accessing various services like Outlook, iCloud, Gmail, Yahoo, and AOL, including a custom URL option.

Source: Lookout

For example, the SMS token page tricked victims into handing over registered mobile numbers and whether they used 6 or 7 digit codes.

Such customizable credential harvesting at scale is highly uncommon and concerning for user privacy.

Code snippet in JavaScript for an interactive prompt to enter the last two digits of a phone number and a confirmation dialog for timeout and code format.

Source: Lookout

Blending Technology with Social Engineering

In other incidents, while victims accessed the phishing pages, attackers called them posing as authorized support reps guiding them through login using texts/voice calls.

A screenshot of a mobile phone receiving a suspected phishing SMS message claiming to be from Coinbase, prompting an action to secure the account.

Source: Lookout

This persistent social manipulation removed doubt victims may have on the legitimacy of SMS/call based challenges enabling complete account takeovers in many cases.

As Lookout analyzed, CryptoChameleon’s unique combination of highly deceptive login portals complemented with technology and social engineering techniques gave it high success to steal hundreds of sets of cryptocurrency account credentials.

How Does The Phishing Campaigns Works?

Lookout’s report discloses a multi-stage process followed by attackers to ensure success in credential harvesting and account takeovers:

Stage 1 – Target Identification

Threat actors register domains impersonating popular cryptocurrency apps and exchanges like Coinbase, Binance, Gemini etc. Email IDs and phone numbers are compiled for potential victims, mostly cryptocurrency holders in the US.

Stage 2 – Phishing Page Creation

Relevant JavaScript, CSS and image files are embedded into phishing sites to perfectly mimic login portals tied to the brands they impersonate. For example coinbase-help[.]com instead of coinbase-help[.]com using near-identical homographs.

Stage 3 – Initiate Credential Harvesting

Phishing links are messaged to identified targets through SMS/email campaigns. Users accessing online accounts get trapped into completing browser captchas and handing over usernames, passwords on fake dologin pages.

Stage 4 – Maintain Access Through 2FA

To bypass two-factor authentication which cryptocurrency apps enforce, attackers dynamically redirect visitors through customized info-stealing routes after capturing usernames/passwords.

See also  Step-by-Step Procedure to Install Python on Windows

Victims input one-time-passcodes, SMS tokens, photo IDs which threat actors immediately use to access online wallets.

Stage 5 – Account Takeover

From phishing page dashboards, attackers siphon out authentication factors, personal information to access online accounts. Funds are drained out into attacker-controlled wallets for laundering.

As Lookout researchers uncovered, this unique use of technology blended with social engineering allows CryptoChameleon to successfully target and compromise hundreds of cryptocurrency users primarily based in the US.

The infrastructure analysis also traces early connections to the Russian-linked Scattered Spider hacker collective known for credential theft. While attribution remains fuzzy, overlaps in TTPs are concerns for the security community.

Bottom Line

CryptoChameleon establishes phishing can be dangerously effective even against tech-savvy communities like cryptocurrency adopters. The use of captchas, logos, and homographs make it tough for average users to discern legitimacy of the pages they access.

As nation-state backed groups increasingly focus on credential compromise, users should follow best practices like enabling two-factor authentication using hardware tokens, being alert to SMS or call-based phishing attempts.

For enterprises, advanced threat intelligence coupled with technologies detecting known phishing infrastructure offer reliable safeguards against attacks like CryptoChameleon.

As Lookout states, continued tracking of threat actor behaviors and updating phishing site databases will be vital in this arms race. For individual users, remaining vigilant when accessing online accounts – especially in the fintech and cryptocurrency sector which offer rich rewards for attackers.

Indicators of Compromise

Command and Control servers

official-server[.]com

server694590423[.]tech

island-placid-bromine.glitch[.]me

circular-noon-farmhouse.glitch[.]me

talented-friendly-price.glitch[.]me

dflfmgsdokasdcpl[.]com

original-backend[.]com

Phishing websites

07159889-coinbase[.]com

10195-coinbase[.]com

11246-coinbase[.]com

11247-coinbase[.]com

11248-coinbase[.]com

11258-coinbase[.]com

11259-coinbase[.]com

113912-coinbase[.]com

11472-coinbase[.]com

11923-coinbase[.]com

11957-coinbase[.]com

128147-coinbase[.]com

12958-coinbase[.]com

12984-okta[.]com

12985-coinbase[.]com

13130-coinbase[.]com

13247-coinbase[.]com

13247-icloud[.]com

13267-coinbase[.]com

146271510-coinbase[.]com

146282-coinbase[.]com

146284-coinbase[.]com

147260-coinbase[.]com

14765-coinbase[.]com

14817582-coinbase[.]com

14871904-coinbase[.]com

14891902-coinbase[.]com

1492864-coinbase[.]com

158312-coinbase[.]com

158372-coinbase[.]com

158702-coinbase[.]com

16171675-coinbase[.]com

16171832-coinbase[.]com

16178234-coinbase[.]com

16178237-coinbase[.]com

16178434-coinbase[.]com

162178-coinbase[.]com

162478-coinbase[.]com

162782-coinbase[.]com

See also  How To Fix CVE-2022-22951(2)- Critical Vulnerabilities In VMware Carbon Black App Control Server

162812-coinbase[.]com

162814-coinbase[.]com

16442580-coinbase[.]com

16450107-coinbase[.]com

16450207-coinbase[.]com

16458207-coinbase[.]com

16478202-coinbase[.]com

164872942-coinbase[.]com

16590-coinbase[.]com

16594373-coinbase[.]com

16624831-coinbase[.]com

16642124-coinbase[.]com

16642172-coinbase[.]com

16642580-coinbase[.]com

16642721-coinbase[.]com

16642724-coinbase[.]com

16642871-coinbase[.]com

16642872-coinbase[.]com

16712942-coinbase[.]com

16718672-coinbase[.]com

16728342-coinbase[.]com

16728348-coinbase[.]com

16728442-coinbase[.]com

16728472-coinbase[.]com

167285-coinbase[.]com

16729042-coinbase[.]com

16748272-coinbase[.]com

16782942-coinbase[.]com

16827420-coinbase[.]com

16827423-coinbase[.]com

16847145-coinbase[.]com

16893924-coinbase[.]com

17182-coinbase[.]com

17255030-coinbase[.]com

17259-kraken[.]com

172486-coinbase[.]com

17284652-coinbase[.]com

17286-coinbase[.]com

17334522-coinbase[.]com

17334522-kraken[.]com

17384522-coinbase[.]com

173912-coinbase[.]com

17494976-coinbase[.]com

17512854-coinbase[.]com

17512857-coinbase[.]com

1751954-coinbase[.]com

17525030-coinbase[.]com

17529580-coinbase[.]com

17614-coinbase[.]com

17618412-coinbase[.]com

17619-coinbase[.]com

176284-coinbase[.]com

17823920-coinbase[.]com

178253-coinbase[.]com

178294-coinbase[.]com

17912-coinbase[.]com

17914-coinbase[.]com

17917-coinbase[.]com

17954-coinbase[.]com

17958-coinbase[.]com

182043-coinbase[.]com

18275-gemini[.]com

18276-coinbase[.]com

18290185-coinbase[.]com

182967-coinbase[.]com

18560-coinbase[.]com

18571-coinbase[.]com

185912-coinbase[.]com

185914-coinbase[.]com

18592176-coinbase[.]com

18594162-coinbase[.]com

18594962-coinbase[.]com

18597162-coinbase[.]com

18719562-coinbase[.]com

1875290-coinbase[.]com

1882730-coinbase[.]com

18902-coinbase[.]com

18903-coinbase[.]com

189126-coinbase[.]com

18952-coinbase[.]com

192854-coinbase[.]com

192856-coinbase[.]com

19287-binance[.]com

19572-coinbase[.]com

195812-coinbase[.]com

195826-coinbase[.]com

1958262-coinbase[.]com

195827-binance[.]com

1958297-coinbase[.]com

19582970-coinbase[.]com

19582971-coinbase[.]com

19583-coinbase[.]com

19592653-coinbase[.]com

197304-coinbase[.]com

19730492-coinbase[.]com

19764162-coinbase[.]com

19803-coinbase[.]com

201784289-coinbase[.]com

210823644-coinbase[.]com

21158-coinbase[.]com

21509-coinbase[.]com

25985-coinbase[.]com

27699-coinbase[.]com

28367-coinbase[.]com

28676-coinbase[.]com

29185-coinbase[.]com

29195-coinbase[.]com

2a-coinbase[.]com

2b-coinbase[.]com

2c-coinbase[.]com

2f-coinbase[.]com

2fas-coinbase[.]com

2o-coinbase[.]com

2r-coinbase[.]com

2s-coinbase[.]com

2sv-coinbase[.]com

352134951-coinbase[.]com

38468-coinbase[.]com

39590-coinbase[.]com

41260-coinbase[.]com

427883-coinbase[.]com

43017-coinbase[.]com

47562-coinbase[.]com

50195-coinbase[.]com

5247-coinbase[.]com

54765-coinbase[.]com

57197-coinbase[.]com

58176-coinbase[.]com

58297-coinbase[.]com

61250-coinbase[.]com

61835-coinbase[.]com

61851-coinbase[.]com

61937-coinbase[.]com

71925-coinbase[.]com

72957-coinbase[.]com

72985-coinbase[.]com

74651-coinbase[.]com

754668948-coinbase[.]com

76159869-coinbase[.]com

76153-coinbase[.]com

81758-coinbase[.]com

81920-coinbase[.]com

81926-coinbase[.]com

81958-coinbase[.]com

826298-coinbase[.]com

83216-coinbase[.]com

837613-coinbase[.]com

83956-coinbase[.]com

87157-coinbase[.]com

87312-coinbase[.]com

89304-coinbase[.]com

89375-coinbase[.]com

91723-gemini[.]com

91752-coinbase[.]com

91756-coinbase[.]com

91782-coinbase[.]com

91835-coinbase[.]com

91845-coinbase[.]com

91923-coinbase[.]com

92758-coinbase[.]com

948122061-coinbase[.]com

978941-coinbase[.]com

accountrecovery-coinbase[.]com

action-shakepay[.]com

adjust-coinbase[.]com

admin-kraken[.]com

applechargebacks[.]com

authenticate-gemini[.]com

authorize-gmail[.]com

binance-okta[.]com

captcha-coinbase[.]com

cd-coinbase[.]com

coinbase-heip[.]com

coinbase-live[.]support

coinbase-reject[.]com

coinbase-ticket[.]com

coinbaseheip[.]com

com-2fa[.]help

com-2fa[.]support

com-3845[.]support

com-connect[.]help

com-fraud[.]support

com-help[.]support

com-reset[.]help

com-reset[.]net

com-ticket[.]live

com-ticket[.]support

contact-nexo[.]com

convert-coinbase[.]com

customerservice-coinbase[.]com

default-coinbase[.]com

defend-coinbase[.]com

deny-coinbase[.]com

disconnect-coinbase[.]com

escalate-coinbase[.]com

establish-coinbase[.]com

fcc-okta[.]com

fraudulent-coinbase[.]com

guard-apple[.]com

guard-icloud[.]com

guardian-coinbase[.]com

guide-gemini[.]com

help-bitfinex[.]com

help-shakepay[.]com

helpdesk-apple[.]com

helpdesk-gemini[.]com

helpdesk-icloud[.]com

identification-coinbase[.]com

lockdown-coinbase[.]com

login-nexo[.]com

keys-coinbase[.]com

messages-coinbase[.]com

newpassword-coinbase[.]com

prompt-coinbase[.]com

protect-apple[.]com

protect-coinbase[.]com

protect-gmail[.]com

protect-kraken[.]com

recoverme-coinbase[.]com

recoveryportal-coinbase[.]com

refunds-coinbase[.]com

reset-okta[.]com

restore-coinbase[.]com

return-coinbase[.]com

reverts-coinbase[.]com

secure-binance[.]us

secure-icloud[.]com

secure-nexo[.]com

secure-shakepay[.]com

security-umusic[.]com

server694590423[.]tech

session-coinbase[.]com

startrecovery-coinbase[.]com

signin-kraken[.]com

suite-trezor[.]io

supportportal-coinbase[.]com

tech-icloud[.]com

threat-coinbase[.]com

ticket-apple[.]com

ticket-coinbase[.]com

tickets-apple[.]com

tokens-coinbase[.]com

unblock-coinbase[.]com

unlink-coinbase[.]com

your-coinbase[.]com

welcome-coinbase[.]com

www-coinbasewallet[.]com

www-help-coinbase[.]com

www-help-gemini[.]com

Leave a Reply

Your email address will not be published. Required fields are marked *